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(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial 
proceedings which will directly affect or be directly affected by or have a bearing on the 
Board's decision in the pending appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is correct. 

(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection 
contained in the brief is correct. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is 
correct. 

(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the bhef Is correct. 

(8) Evidence Relied Upon 

6,886,102 61 Lyie 7-2000 

6,886,099 B1 Smithson 9-2000 

6,321,338 81 Porras 11-1998 



Application/Control Number: 10/774,169 
Art Unit: 2455 



Pages 



2001/0039579 A1 



Trcka 



5-1997 



6,934,857 B1 



Bartleson 



11-2000 



(9) Grounds of Rejection 



The following ground(s) of rejection are applicable to the appealed claims: 



Claim Rejections - 35 USC § 103 



1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1,4-11,21 -22, 25-26, 28-35, 38-45, 55-56, 59-60, 62-69, 72-79, 89-90, 
93-94, 96-103, 105 & 107 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lyie, Patent No. 6,886,102 B1 in view of Smithson, Patent No. 6,886,099 81 . 

Lyie teaches the invention as claimed including system and method for protecting 
a computer network against denial of service attacks (see abstract). 

3. As to claim 1 , Lyie teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic that is directed to the addresses in the 
subset (col 5, lines 12-17; Lyie discloses that the method of monitoring the network 
connection to send and receive information via the network and other computers); 
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determining respective baseline cliaracteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyie discloses that 
the method of determined the baseline incident rate and the variance used for all 
networks); 

detecting a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the group, wherein the 
deviation is indicative that at least a portion of the communication traffic is of potentially 
malicious origin (col 10, lines 28-34; LyIe discloses that the method of detecting the 
networl< traffic for the suspicious high volume of network traffic and particular portion of 
the attacked). 

But LyIe failed to teach the claim limitation wherein identifying a subset of the 
group of the addresses such that the addresses in the subset are expected to receive 
smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, filtering the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches computer virus detection (see abstract). Smithson 
teaches the limitation wherein Identifying a subset of the group of the addresses such 
that the addresses in the subset are expected to receive smaller amounts of the 
communication traffic than other addresses in the group (figure 2; col 4, lines 5-25; col 
5, lines 7-23); responsively to detecting the deviation, filtering the communication traffic 
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that is directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (figure 23; col 6, lines 34-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyie in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

4. As to claim 4, LyIe and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of communication protocols used in 
generating the communication traffic (col 10, lines 19-28; LyIe discloses that the method 
of tracking the communication traffic using the sniffer module). 

5. As to claim 5, LyIe and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; LyIe discloses that the method of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

6. As to claim 6, LyIe and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; LyIe discloses that the method of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 
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7. As to claim 7, Lyie and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; LyIe discloses that the method of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would Identified as the possible attack). 

8. As to claim 8, LyIe and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics are indicative of a distribution of operating systems running 
on computers that have transmitted the communication traffic (col 21 , lines 32-49; LyIe 
discloses that the method of determined the system of receiving and sending packets). 

9. As to claim 9, LyIe and Smithson teach the method as recited in claim 8, wherein 
detecting the deviation comprises reading a Time-To-Live (TTL) field in Internet Protocol 
headers of data packets sent to the addresses in the group, and detecting a change in 
values of the TTL field relative to the baseline characteristics (col 1 1 , lines 26-38). 

1 0. As to claim 10, LyIe and Smithson teach the method as recited in claim 1 , 
wherein detecting the deviation comprises detecting events that are indicative of a 
failure in communication between a first computer at one of the addresses in the group 
and a second computer at another location in the network (col 6, lines 61 - col 7, lines 
1 5; LyIe discloses that the method of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

11. As to claim 1 1 , LyIe and Smithson teach the method as recited in claim 1 0, 
wherein detecting the events comprises detecting failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 



Application/Control Number: 10/774,169 Page 7 

Art Unit: 2455 

12. As to claim 21 , Lyie and Smithson teach the method as recited in claim 1 , 
wherein detecting the deviation comprises detecting a type of the communication traffic 
that appears to be of the malicious origin, and wherein monitoring the communication 
traffic comprises collecting specific information relating to the traffic of the detected type 
(col 4, lines 55-68; LyIe discloses that the method of monitoring the security of the 
computer network such as suspicious, malicious or virus packets). 

13. As to claim 22, LyIe and Smithson teach the method as recited in claim 21 , 
wherein collecting the specific information comprises determining one or more source 
addresses of the traffic of the detected type (col 10, lines 38-43; LyIe discloses that the 
method of listing the list of suspicious source addresses). 

14. As to claim 25, LyIe teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; LyIe discloses that 
the method of monitoring the communication traffic of the network for sending and 
receiving packets); 

tracing a route of the traffic from the selected node back to the at least one of the 
addresses so as to identify a location of the computer on which the malicious program is 
running (col 6, lines 15-23; LyIe discloses that the method of tracking system of the 
protected area for the network elements). 

But LyIe failed to teach the claim limitation wherein detecting a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
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program running on a computer at tlie at least one of tlie addresses by determining that 
the computer has transmitted pacl<ets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein detecting a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses (figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyie in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

1 5. As to claim 26, LyIe and Smithson teach the method as recited in claim 25, 
wherein tracing the route comprises identifying a port of a switch on the network to 
which the computer is connected, and comprising disabling the identified port (col 16, 
lines 54 - col 17, lines 13; LyIe discloses that the method of tracking the port at which 
the attack was detected to identified the port at which the node through which packets 
or message associated with the attack entering that node). 

16. As to claim 28, LyIe and Smithson teach the method as recited in claim 25, 
wherein detecting the pattern comprises detecting a large number of packets 
transmitted by the computer to a specified port (col 12, lines 63 - col 13, lines 8; LyIe 
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discloses that the method of detecting when the massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security 
system). 

17. As to claim 29, Lyie teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect packets that 
are indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; LyIe discloses that the method of monitoring the network 
traffic for the suspicious in the sense that it indicates that an attack may be taking 
place); 

detecting an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 10, lines 60 - col 1 1 , lines 1 ; LyIe discloses that the method 
of determined if the rate of certain types of messages exceeds a normal level). 

But LyIe failed to teach the claim limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 



Application/Control Number: 10/774,169 Page 10 

Art Unit: 2455 

determined wlietlier tlie files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

18. As to claim 30, Lyie and Smithson teach the method as recited in claim 29, 
wherein monitoring the communication traffic comprises detecting Internet Control 
Message Protocol (ICMP) unreachable packets (col 9, lines 7-37). 

19. As to claim 31 , LyIe and Smithson teach the method as recited in claim 29, 
wherein monitoring the communication traffic comprises detecting failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 

20. As to claim 32, LyIe teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; LyIe discloses that the method of scanning the network for 
the suspicious data within the tracking system); 

making a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; LyIe discloses that the method of determined the alert module for the potential 
attack. 

But LyIe failed to teach the claim limitation wherein responsively to the 
determination, filtering the communication traffic so as to remove at least the portion of 
the communication traffic that is generated by the worm infection. 
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However, Smithson teaches the limitation wherein responsively to the 
determination, filtering the communication traffic so as to remove at least the portion of 
the communication traffic that is generated by the worm infection (figure 23; col 6, lines 
34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyie in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

21 . As to claim 33, LyIe and Smithson teach the method as recited in claim 32, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein monitoring the communication traffic comprises determining that the packets 
contain data that are incompatible with the specified communication protocol (col 11, 
lines 61 - col 12, lines 19; LyIe discloses that the method of determined the 
incompatible packet by measure the numerical order of the packet). 

22. As to claim 34, LyIe and Smithson teach the method as recited in claim 32, 
wherein the packets comprise a header specifying a packet length, and wherein 
monitoring the communication traffic comprises determining that the packets contain an 
amount of data that is incompatible with the specified packet length (col 18, lines 48-59; 
LyIe discloses that the method of suspicious packet by its bits). 

23. As to claim 35, LyIe teaches an apparatus comprising a guard device, which is 
adapted to 
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monitor the communication traffic that is directed to a group of addresses in the 
subset (col 5, lines 12-17; Lyie discloses that the apparatus of monitoring the network 
connection to send and receive information via the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyie discloses that 
the apparatus of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyie discloses that the apparatus of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 

But Lyie failed to teach the claim limitation wherein identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches the limitation wherein identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group 



Application/Control Number: 1 0/774,1 69 Page 1 3 

Art Unit: 2455 

(figure 2; col 4, lines 5-25; col 5, lines 6-23); responsively to detecting the deviation, to 
filter the communication traffic that is directed to all of the addresses in the group so as 
to remove at least some of the communication traffic that is of the malicious origin 
(figure 23; col 6, lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

24. As to claim 38, LyIe and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of communication protocols 
used in generating the communication traffic (col 10, lines 19-28; LyIe discloses that the 
apparatus of tracking the communication traffic using the sniffer module). 

25. As to claim 39, LyIe and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of ports to which the 
communication traffic is directed (col 14, lines 38-42; LyIe discloses that the apparatus 
of tracking the source of the attack to determined the point of the attack at which the 
attack is entering the network or sub-network). 

26. As to claim 40, LyIe and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; LyIe discloses that the apparatus of 
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characteristics of tlie incident, such as the source address, target address and 
preceding characteristics). 

27. As to claim 41 , Lyie and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of sizes of data packets 
sent to the addresses in the group (col 10, lines 44-53; Lyie discloses that the apparatus 
of detecting the particular port for receiving an usually high number of data packets of 
any type, the sniffer module would identified as the possible attack). 

28. As to claim 42, Lyie and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics are indicative of a distribution of operating systems 
running on computers that have transmitted the communication traffic (col 21 , lines 32- 
49; Lyie discloses that the apparatus of determined the system of receiving and sending 
packets). 

29. As to claim 43, Lyie and Smithson teach the apparatus as recited in claim 42, 
wherein the guard device is adapted to read a Time-To-Live (TTL) field in Internet 
Protocol headers of data packets sent to the addresses in the group, and to detect a 
change in values of the TTL field relative to the baseline characteristics due to the 

distribution of the operating systems (col 11, lines 26-38). 

30. As to claim 44, Lyie and Smithson teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15; 
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Lyie discloses that the apparatus of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

31 . As to claim 45, LyIe and Smithson teach the apparatus as recited in claim 44, 
wherein the events comprise failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

32. As to claim 55, LyIe and Smithson teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect a type of the communication traffic that 
appears to be of the malicious origin, and to monitor the communication traffic so as to 
collect specific information relating to the traffic of the detected type (col 4, lines 55-68; 
LyIe discloses that the apparatus of monitoring the security of the computer network 
such as suspicious, malicious or virus packets). 

33. As to claim 56, LyIe and Smithson teach the apparatus as recited in claim 55, 

wherein the specific information comprises one or more source addresses of the traffic 
of the detected type (col 10, lines 38-43; LyIe discloses that the apparatus of listing the 
list of suspicious source addresses). 

34. As to claim 59, LyIe teaches an apparatus comprising: 

monitor the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; LyIe discloses that 
the apparatus of monitoring the communication traffic of the network for sending and 
receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
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program is running (col 6, lines 15-23; Lyie discloses that the apparatus of tracking 
system of the protected area for the network elements). 

But LyIe failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
35. As to claim 60, LyIe and Smithson teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to identify a port of a switch on the network to 
which the computer is connected, and to instruct the switch to disable the identified port 
(col 16, lines 54 - col 17, lines 13; LyIe discloses that the apparatus of tracking the port 
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at which the attacl< was detected to identified the port at which the node through which 
pacl<ets or message associated with the attack entering that node). 

36. As to claim 62, Lyie and Smithson teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to detect the pattern by detecting a large number 
of packets transmitted by the computer to a specified port (col 12, lines 63 - col 13, 
lines 8; LyIe discloses that the apparatus of detecting when the massive numbers of 
copies of a suspicious but relatively innocuous message in the hope of overloading the 
security system). 

37. As to claim 63, LyIe teaches an apparatus comprising: 

monitor the communication traffic on a network so as to detect packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; LyIe discloses that the apparatus of monitoring the 
network traffic for the suspicious in the sense that it indicates that an attack may be 
taking place), 

to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 10, lines 60 - col 1 1 , lines 1 ; LyIe discloses that the 
apparatus of determined if the rate of certain types of messages exceeds a normal 

level), and 

But LyIe failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 
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However, Smithson teaches the limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

38. As to claim 64, LyIe and Smithson teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect Internet Control Message Protocol 
(ICMP) unreachable packets as an indication of the communication failure (col 9, lines 
7-37). 

39. As to claim 65, LyIe and Smithson teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 

40. As to claim 66, LyIe teaches an apparatus comprising a guard device, which is 
adapted: 

to monitor the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; LyIe discloses that the apparatus of scanning the network for 
the suspicious data within the tracking system). 
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to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyie discloses that the apparatus of determined the alert module for the potential 
attack). 

But Lyie failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection (figure 23; col 6, 
lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
Invention to modify Lyie In view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
41 . As to claim 67, Lyie and Smithson teach the apparatus as recited In claim 66, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein the guard device is adapted to detect that the packets contain data that are 
incompatible with the specified communication protocol (col 1 1 , lines 61 - col 12, lines 
19; Lyie discloses that the apparatus of determined the incompatible packet by measure 
the numerical order of the packet). 
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42. As to claim 68, Lyie and Smithson teach the apparatus as recited in claim 66, 
wherein the packets comprise a header specifying a packet length, and wherein the 
guard device is adapted to detect that the packets contain an amount of data that is 
incompatible with the specified packet length (col 18, lines 48-59; LyIe discloses that the 
apparatus of suspicious packet by its bits). 

43. As to claim 69, LyIe teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor communication 
traffic that is directed the addresses in the subset (col 5, lines 12-17; LyIe discloses that 
the product of monitoring the network connection to send and receive information via 
the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; LyIe discloses that 
the product of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; LyIe discloses that the product of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 
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But Lyie failed to teach the claim limitation wherein to identify a selected subset 
of the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group, 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches the limitation wherein to identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group 
(figure 2; col 4, lines 5-25; col 5, lines 6-23), responsively to detecting the deviation, to 
filter the communication traffic that is directed to all of the addresses in the group so as 
to remove at least some of the communication traffic that is of the malicious origin (col 
6, lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
44. As to claim 72, LyIe and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of communication protocols 
used in generating the communication traffic (col 10, lines 19-28; LyIe discloses that the 
product of tracking the communication traffic using the sniffer module). 
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45. As to claim 73, Lyie and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of ports to which the 
communication traffic is directed (col 14, lines 38-42; LyIe discloses that the product of 
tracking the source of the attack to determined the point of the attack at which the attack 
is entering the network or sub-network). 

46. As to claim 74, LyIe and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; LyIe discloses that the product of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

47. As to claim 75, LyIe and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of sizes of data packets 
sent to the addresses in the group (col 10, lines 44-53; LyIe discloses that the product of 
detecting the particular port for receiving an usually high number of data packets of any 
type, the sniffer module would identified as the possible attack). 

48. As to claim 76, LyIe and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics are indicative of a distribution of operating systems 
running on computers that have transmitted the communication traffic (col 21 , lines 32- 
49; LyIe discloses that the product of determined the system of receiving and sending 
packets). 

49. As to claim 77, LyIe and Smithson teach the product as recited in claim 76, 
wherein instructions cause the computer to read a Time-To-Live (TTL) field in Internet 
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Protocol headers of data packets sent to the addresses in the group, and to detect a 
change in values of the TTL field relative to the baseline characteristics due to the 
distribution of the operating systems (col 11, lines 26-38). 

50. As to claim 78, Lyie and Smithson teach the product as recited in claim 69, 
wherein the instructions cause the computer to detect events that are indicative of a 
failure In communication between a first computer at one of the addresses In the group 
and a second computer at another location in the network (col 6, lines 61 - col 7, lines 
15; LyIe discloses that the product of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

51 . As to claim 79, LyIe and Smithson teach the product as recited in claim 78, 
wherein the events comprise failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

52. As to claim 89, LyIe and Smithson teach the product as recited In claim 69, 
wherein the Instructions cause the computer to detect a type of the communication 
traffic that appears to be of the malicious origin, and to monitor the communication 
traffic so as to collect specific information relating to the traffic of the detected type (col 
4, lines 55-68; LyIe discloses that the product of monitoring the security of the computer 
network such as suspicious, malicious or virus packets). 

53. As to claim 90, LyIe and Smithson teach the product as recited in claim 89, 
wherein the specific information comprises one or more source addresses of the traffic 
of the detected type (col 10, lines 38-43; LyIe discloses that the product of listing the list 
of suspicious source addresses). 
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54. As to claim 93, Lyie teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic originating from a group of addresses and passing through a 
selected node on a network (col 12, lines 44-53; LyIe discloses that the product of 
monitoring the communication traffic of the network for sending and receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
program is running (col 6, lines 15-23; LyIe discloses that the product of tracking system 
of the protected area for the network elements). 

But LyIe failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
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determined wlietlier tlie files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

55. As to claim 94, Lyie and Smithson teach the product as recited in claim 93, 
wherein the instructions cause the computer to identify a port of a switch on the networl< 
to which the computer is connected, and to instruct the switch to disable the identified 
port (col 16, lines 54 - col 17, lines 13; LyIe discloses that the product of tracking the 
port at which the attack was detected to identified the port at which the node through 
which packets or message associated with the attack entering that node). 

56. As to claim 96, LyIe and Smithson teach the product as recited in claim 93, 
wherein the instructions cause the computer to detect the pattern by detecting a large 
number of packets transmitted by the computer to a specified port (col 12, lines 63 - col 
13, lines 8; LyIe discloses that the product of detecting when the massive numbers of 
copies of a suspicious but relatively innocuous message in the hope of overloading the 
security system). 

57. As to claim 97, LyIe teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect packets that are indicative of a 
communication failure in the network that is characteristic of a worm infection (col 10, 
lines 53-59; LyIe discloses that the product of monitoring the network traffic for the 
suspicious in the sense that it indicates that an attack may be taking place). 
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to detect an increase in a rate of arrival of tlie pacl<ets that are indicative of the 
communication failure (col 10, lines 60 - col 1 1 , lines 1 ; Lyie discloses that the product 
of determined if the rate of certain types of messages exceeds a normal level). 

But LyIe failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify LyIe in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

58. As to claim 98, LyIe and Smithson teach the product as recited in claim 97, 
wherein the instructions cause the computer to detect Internet Control Message 
Protocol (ICMP) unreachable packets as an indication of the communication failure (col 
9, lines 7-37). 

59. As to claim 99, LyIe and Smithson teach the product as recited in claim 97, 
wherein the instructions cause the computer to detect failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 
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60. As to claim 100, Lyie teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 

instructions, when read by a computer, cause the computer to monitor the 

communication traffic on a network so as to detect ill-formed packets (col 7, lines 9-19; 

Lyie discloses that the product of scanning the network for the suspicious data within 

the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 

portion of the communication traffic has been generated by a worm infection (col 8, lines 

26-39; Lyie discloses that the product of determined the alert module for the potential 

attack). 

But Lyie failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection (figure 23; col 6, 
lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyie in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
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61. As to claim 101, Lyie and Smithson teach tlie product as recited in claim 100, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein the instructions cause the computer to detect that the packets contain data that 
are incompatible with the specified communication protocol (col 1 1 , lines 61 - col 12, 
lines 19; LyIe discloses that the product of determined the incompatible packet by 
measure the numerical order of the packet). 

62. As to claim 102, LyIe and Smithson teach the product as recited in claim 100, 
wherein the packets comprise a header specifying a packet length, and wherein the 
instructions cause the computer to detect that the packets contain an amount of data 
that is incompatible with the specified packet length (col 18, lines 48-59; LyIe discloses 
that the product of suspicious packet by its bits). 

63. As to claim 103, LyIe and Smithson teach the method as recited in claim 1 , 

wherein identifying the subset comprising selecting clients for inclusion in the subset 
wile excluding servers (figure 1; LyIe teaches the method of including the users in the 
subset for the edge router). 

64. As to claim 105, LyIe and Smithson teach the apparatus as recited in claim 35, 
wherein the subset includes clients while excluding servers (figure 1 ; LyIe teaches the 
apparatus of including the users in the subset for the edge router). 

65. As to claim 107, LyIe and Smithson teach the product as recited in claim 69, 
wherein the subset includes clients while excluding servers (figure 1 ; LyIe teaches the 
product of including the users in the subset for the edge router). 
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66. Claims 12-13, 46-47, and 80-81 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lyie, Patent No. 6,886,102 B1 in viewof Smithson, Patent No. 
6,886,099 B1, and further in view of Porras, Patent No. 6,321,338 B1 . 

LyIe teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

67. As to claim 12, LyIe and Smithson teach the method as recited in claim 1 . But 
LyIe and Smithson failed to teach the claim limitation wherein receiving packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches network surveillance (see abstract). Porras teaches 
the limitation wherein receiving packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, and wherein filtering the 
communication traffic comprises deciding to filter the communication traffic responsively 
to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 

68. As to claim 13, LyIe and Smithson teach the method as recited in claim 12. But 
LyIe and Smithson failed to teach the claim limitation wherein receiving the packets 
comprises receiving Internet Control Message Protocol (ICMP) unreachable packets. 
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However, Porras teaches the limitation wherein receiving the packets comprises 
receiving Internet Control Message Protocol (ICMP) unreachable packets (col 5, lines 4- 
29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
Invention to modify the combination of Lyie and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 
69. As to claim 46, LyIe and Smithson teach the apparatus as recited in claim 35. 
But LyIe and Smithson failed to teach the claim limitation wherein the guard device Is 
adapted to receive packets that are indicative of a communication failure in the network 
that is characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets. 

However, Porras teaches the limitation wherein the guard device Is adapted to 
receive packets that are indicative of a communication failure in the network that Is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill In the art at the time of the 
Invention to modify the combination of LyIe and Smithson In view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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70. As to claim 47, Lyie and Smithson teach the apparatus as recited in claim 46. 
But LyIe and Smithson failed to teach the claim limitation wherein the packets comprise 
Internet Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 

71 . As to claim 80, LyIe and Smithson teach the product as recited in claim 69. But 
LyIe and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches the limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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72. As to claim 81 , Lyie and Smithson teach the product as recited in claim 80. But 
Lyie and Smithson failed to teach the claim limitation wherein the packets comprise 
Internet Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 

73. Claims 14-20, 23-24, 48-54, 57-58, 82-88, and 91-92 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Lyie, Patent No. 6,886,102 B1 in view of 
Smithson, Patent No. 6,886,099 81, and further in viewof Trcka, Patent No. 
2001/0039579 A1. 

Lyie teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attack (see abstract). 

74. As to claim 14, Lyie and Smithson teach the method as recited in claim 1. But 
Lyie and Smithson failed to teach the claim limitation wherein monitoring the 
communication traffic comprises making a determination that one or more packets 
transmitted over the network are ill-formed, and wherein filtering the communication 
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traffic comprises deciding to filter tine communication traffic responsively to the ill-formed 
packets. 

However, Trcka teaches network security and surveillance system (see abstract). 
Trcka teaches the limitation wherein monitoring the communication traffic comprises 
making a determination that one or more packets transmitted over the network are ill- 
formed, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

75. As to claim 15, LyIe and Smithson teach the method as recited in claim 1 . But 
LyIe and Smithson failed to teach the claim limitation wherein detecting the deviation 
comprises incrementing a count of events that are indicative of the malicious origin of 
the communication traffic, and deciding whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
incrementing a count of events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Trcka so that the 
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system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

76. As to claim 16, Lyie and Smithson teach the method as recited in claim 15, 
wherein detecting the deviation comprises receiving data packets of potentially 
malicious origin, each data packet having a respective source address and destination 
address, and wherein incrementing the count comprises determining an amount by 
which to increment the count responsively to a given data packet depending upon 
whether among the data packets received previously, responsively to which the count 
was incremented, at least one data packet had the same respective source address and 
at least one data packet had the same respective destination address as the given data 
packet (col 7, lines 38-49; col 19, lines 51 - col 20, lines 23; LyIe discloses that the 
method of identified the messages related to a known or suspected attack or possibility 
that an attack is taking place). 

77. As to claim 17, LyIe and Smithson teach the method as recited in claim 16, 
wherein determining the amount by which to increment the count comprises 
incrementing the count only if none of the data packets received previously, 
responsively to which the count was incremented, had at least one of the same 
respective source address and the same respective destination address as the given 
data packet (col 15, lines 48 - col 16, lines 6; LyIe discloses that the method of tracking 
back to the point of attack at which the attack entered the network or sub-network). 

78. As to claim 18, LyIe and Smithson teach the method as recited in claim 1 . But 
LyIe and Smithson failed to teach the claim limitation wherein detecting the deviation 
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comprises detecting a type of the communication traffic that appears to be of the 
malicious origin, and wherein filtering the communication traffic comprises intercepting 
the communication traffic of the detected type. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
detecting a type of the communication traffic that appears to be of the malicious origin, 
and wherein filtering the communication traffic comprises intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

79. As to claim 19, LyIe and Smithson teach the method as recited in claim 18, 
wherein detecting the type comprises determining at least one of a communication 
protocol and a port that is characteristic of the communication traffic (col 5, lines 34-44; 
LyIe discloses that the method of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

80. As to claim 20, LyIe and Smithson teach the method as recited in claim 18, 
wherein detecting the type comprises determining one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and intercepting the 
communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
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Lyie discloses that the method of tracking the source of an attack to determine the point 
of attack at which it is entering the network or sub-network). 

81 . As to claim 23, LyIe and Smithson teach the method as recited in claim 1 . But 
LyIe and Smithson failed to teach the claim limitation wherein monitoring and filtering 
the communication traffic comprise monitoring and filtering the communication traffic 
that is transmitted into a protected area of the network containing the group of the 
addresses so as to exclude the communication traffic from the area. 

However, Trcka teaches the limitation wherein monitoring and filtering the 
communication traffic comprise monitoring and filtering the communication traffic that is 
transmitted into a protected area of the network containing the group of the addresses 
so as to exclude the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

82. As to claim 24, LyIe and Smithson teach the method as recited in claim 23, and 
comprising monitoring the communication traffic that is transmitted by computers in the 
protected area so as to detect an Infection of one or more of the computers by a 
malicious program (col 10, lines 35-38; LyIe discloses that the method of tracking the 
system interconnect across the network, such as a private network which is a protected 
area). 
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83. As to claim 48, Lyie and Smithson teach the apparatus as recited in claim 35. 
But LyIe and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to make a determination that one or more packets transmitted over the network 
are ill-formed, and to decide to filter the communication traffic responsively to the ill- 
formed packets. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
make a determination that one or more packets transmitted over the network are ill- 
formed, and to decide to filter the communication traffic responsively to the ill-formed 
packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

84. As to claim 49, LyIe and Smithson teach the apparatus as recited in claim 35. 
But LyIe and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

85. As to claim 50, LyIe and Smithson teach the apparatus as recited in claim 49, 
wherein the guard device Is coupled to receive data packets of potentially malicious 
origin, each data packet having a respective source address and destination address, 
and is adapted to determine an amount by which to increment the count responsively to 
a given data packet depending upon whether among the data packets received 
previously, responsively to which the count was incremented, at least one data packet 
had the same respective source address and at least one data packet had the same 
respective destination address as the given data packet (col 7, lines 38-49; col 19, lines 
51 - col 20, lines 23; LyIe discloses that the apparatus of Identified the messages 
related to a known or suspected attack or possibility that an attack is taking place). 

86. As to claim 51 , LyIe and Smithson teach the apparatus as recited in claim 40, 
wherein the guard device is adapted to increment the count only if none of the data 
packets received previously, responsively to which the count was incremented, had at 
least one of the same respective source address and the same respective destination 
address as the given data packet (col 15, lines 48 - col 16, lines 6; LyIe discloses that 
the apparatus of tracking back to the point of attack at which the attack entered the 
network or sub-network). 
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87. As to claim 52, Lyie and Smithson teach the apparatus as recited in claim 35. 
But LyIe and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to detect a type of the communication traffic that appears to be of the malicious 
origin, and to filter the communication traffic by intercepting the communication traffic of 
the detected type. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
detect a type of the communication traffic that appears to be of the malicious origin, and 
to filter the communication traffic by intercepting the communication traffic of the 
detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

88. As to claim 53, LyIe and Smithson teach the apparatus as recited in claim 52, 
wherein the type of the communication traffic that appears to be of the malicious origin 
is characterized by at least one of a communication protocol and a port (col 5, lines 34- 
44; LyIe discloses that the apparatus of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

89. As to claim 54, LyIe and Smithson teach the apparatus as recited in claim 52, 
wherein the guard device is adapted to determine one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and to intercept the 
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communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyie discloses that the apparatus of tracking the source of an attack to determine the 
point of attack at which it is entering the network or sub-network). 

90. As to claim 57, LyIe and Smithson teach the apparatus as recited in claim 35. 
But LyIe and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein the guard device Is adapted to 
monitor and filter the communication traffic that is transmitted into a protected area of 
the network containing the group of the addresses so as to exclude the communication 
traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill In the art at the time of the 
Invention to modify the combination of LyIe and Smithson In view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

91 . As to claim 58, LyIe and Smithson teach the apparatus as recited In claim 57, 
wherein the guard device Is adapted to monitor the communication traffic that Is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; LyIe discloses that 
the apparatus of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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92. As to claim 82, Lyie and Smithson teach the product as recited in claim 69. But 
Lyie and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

93. As to claim 83, Lyie and Smithson teach the product as recited in claim 69. But 
Lyie and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

94. As to claim 84, LyIe and Smithson teach the product as recited in claim 83, 
wherein when the computer is coupled to receive data packets of potentially malicious 
origin, each data packet having a respective source address and destination address, 
the instructions cause the computer to determine an amount by which to increment the 
count responsively to a given data packet depending upon whether among the data 
packets received previously, responsively to which the count was incremented, at least 
one data packet had the same respective source address and at least one data packet 
had the same respective destination address as the given data packet (col 7, lines 38- 
49; col 19, lines 51 - col 20, lines 23; LyIe discloses that the product of identified the 
messages related to a known or suspected attack or possibility that an attack is taking 
place). 

95. As to claim 85, LyIe and Smithson teach the product as recited in claim 84, 
wherein the instructions cause the computer to increment the count only if none of the 
data packets received previously, responsively to which the count was incremented, 
had at least one of the same respective source address and the same respective 
destination address as the given data packet (col 15, lines 48 - col 16, lines 6; LyIe 
discloses that the product of tracking back to the point of attack at which the attack 
entered the network or sub-network). 



Application/Control Number: 10/774,169 Page 43 

Art Unit: 2455 

96. As to claim 86, Lyie and Smithson teach the product as recited in claim 69. But 
Lyie and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

97. As to claim 87, Lyie and Smithson teach the product as recited in claim 86, 
wherein the type of the communication traffic that appears to be of the malicious origin 
is characterized by at least one of a communication protocol and a port (col 5, lines 34- 
44; Lyie discloses that the product of managing the exchange of Information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

98. As to claim 88, Lyie and Smithson teach the product as recited in claim 86, 
wherein the instructions cause the computer to determine one or more source 
addresses of the communication traffic that appears to be of the malicious origin, and to 
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intercept tlie connnnunication traffic sent from the one or more source addresses (col 16, 
lines 44-49; Lyie discloses that the product of tracking the source of an attack to 
determine the point of attack at which it is entering the network or sub-network). 

99. As to claim 91 , LyIe and Smithson teach the product as recited in claim 69. But 
Lyie and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

100. As to claim 92, LyIe and Smithson teach the product as recited in claim 91 , 
wherein the instructions cause the computer to monitor the communication traffic that is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; LyIe discloses that 
the product of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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1 01 . Claims 1 04, 1 06 & 1 08 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Lyie, Patent No. 6,886,102 B1 in viewof Smithson, Patent No. 
6,886,099 B1, and further in view of Bartleson, Patent No. 6,934,857 81 . 

LyIe teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

102. As to claim 104, LyIe and Smithson teach the method as recited in claim 1 . But 
LyIe failed to teach the claim limitation wherein identifying the subset comprises 
selecting trap addresses that are not used by actual computers for inclusion in the 
subset. 

However, Bartleson teaches security system and method for handheld 
computers (see abstract). Bartleson teaches the limitation wherein identifying the 
subset comprises selecting trap addresses that are not used by actual computers for 
inclusion in the subset (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Bartleson so that 
the patch is loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

103. As to claim 106, LyIe and Smithson teach the apparatus as recited in claim 35. 
But LyIe failed to teach the claim limitation wherein the subset includes trap addresses 
that are not used by actual computers. 
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However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyie and Smithson in view of Bartleson so that 
the patch is loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

104. As to claim 108, LyIe and Smithson teach the product as recited in claim 69. But 
LyIe failed to teach the claim limitation wherein the subset includes trap addresses that 
are not used by actual computers. 

However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of LyIe and Smithson in view of Bartleson so that 
the patch is loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 
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(10) Response to Argument 

• Applicant's arguments filed 1 1/6/08 have been fully considered but they are not 
persuasive. In response to Applicant's argument, the Patent Office maintains the 
rejection. In the remarks, the applicant argues in substance that; A) Lyie and 
Smithson do not teach "identifying a subset of the group of the addresses such 
that the addresses in the subset are expected to receive smaller amounts of the 
communication traffic than other addresses in the group" (page 10, paragraph 3); 
B) Smithson and LyIe do not teach or suggest "detecting an increase in a rate of 
arrival of the packets that are indicative of the communication failure" (page 1 1 , 
paragraph 1); C) LyIe and Smithson do not teach "responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection" (page 1 1 , 
paragraph 2); D) LyIe and Smithson do not teach "monitoring the communication 
traffic on a network so as to detect ill-formed packets" (page 12, paragraph 1 ). 



In response to A); Examiner respectfully disagrees. In response to 
Applicant's argument, the Patent Office maintains the rejection because LyIe and 
Smithson do teach "identifying a subset of the group of the addresses such that 
the addresses in the subset are expected to receive smaller amounts of the 
communication traffic than other addresses in the group" (figure 2; col 4, lines 5- 
25; col 5, lines 7-23; col 6, lines 40-45; Smithson discloses that the method of 
periodically checks each of the measurement parameters against its respective 
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threshold to determined if the packet is an outbreak of computer virus). 
Moreover, Smithson discloses the method of testing the threshold to determined 
if the signal indicated the virus outbreak. Therefore, Lyie and Smithson meet the 
claim limitation. 

In response to B); Examiner respectfully disagrees. In response to 
Applicant's argument, the Patent Office maintains the rejection because LyIe and 
Smithson do teach "detecting an increase in a rate of arrival of the packets that 
are indicative of the communication failure" (col 1 0, lines 60 - col 11, lines 1 ; col 
13, lines 48-55; LyIe discloses that the method of determined if the rate of certain 
types of messages exceeds a normal level). Moreover, LyIe discloses the 
method of scanning, detecting and determining suspicious data or an attack may 
be taking place by detecting the number of rate exceeding by a prescribed 
amount of time. Therefore, LyIe and Smithson meet the claim limitation. 

In response to C); Examiner respectfully disagrees. In response to 
Applicant's argument, the Patent Office maintains the rejection because LyIe and 
Smithson do teach "responsively to the increase, filtering the communication 
traffic so as to remove at least a portion of the communication traffic that is 
generated by the worm infection" (figure 23; col 6, lines 34-43; Smithson 
discloses that the method of blocking email attachments and other attachment if 
the number of attachments exceeds a predetermined threshold level). Moreover, 
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Smithson discloses the method of blocking out or filtering out further attachments 
or future email attachments if detected the increase number of decreases 
number of attachment. Therefore, Lyie and Smithson meet the claim limitation. 



In response to D); Examiner respectfully disagrees. In response to 
Applicant's argument, the Patent Office maintains the rejection because LyIe and 
Smithson do teach "monitoring the communication traffic on a network so as to 
detect ill-formed packets" (col 2, lines 14-20; col 4, lines 60 - col 6, lines 15; col 
7, lines 9-19; LyIe discloses that the method of scanning the network for the 
suspicious data within the tracking system). Moreover, LyIe discloses the 
method of detecting, monitoring the suspicious packets or potential attack. Even 
though LyIe does not specifically stated "ill-formed packets", but it's obvious to 
assume the suspicious packets or potential attack could be an "ill-form" packet, it 
may harm the system in one way or another. Therefore, LyIe and Smithson meet 
the claim limitation. 
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(11) Related Proceecling(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the 
Related Appeals and Interferences section of this examiner's answer. 

For the above reasons, it is believed that the rejections should be sustained. 

Respectfully submitted, 
Thuong (Tina) Nguyen 
Examiner, Art Unit 2455 
Examiner 
Art Unit 2455 
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